T. Kemmerich, N. Kuntze, C. Rudolph, L. Grosskopf


An important area in digital forensics is images of hard disks. The correct production of the images as well as the integrity and authenticity of each hard disk image is essential for the probative force of the image to be used at court. Integrity and authenticity are under suspicion as digital evidence is stored and used by software based systems. Modifications to digital objects are hard or even impossible to track and can occur even accidentally. Even worse, vulnerabilities occur for all current computing systems. Therefore, it is difficult to guarantee a secure environment for forensic investigations. But intended deletions of dedicated data of disk images are often required because of legal issues in many countries.
This article provides a technical framework on the protection of the probative force of hard disk images by ensuring the integrity and authenticity using state of the art technology. It combines hardware-based security, cryptographic hash functions and digital signatures to achieve a continuous protection of the image together with a reliable documentation of the status of the device that was used for image creation. The framework presented allows to detect modifications and to pinpoint the exact area of the modification to the digital evidence protecting the probative force of the evidence at a whole. In addition, it also supports the deletion of parts of images without invalidating the retained data blocks.


digital evidence; probative force hard disk image; verifiable deletion of image data; trusted imaging software

Full Text:



Andrew, M. W. (2007). Defining a process model for forensic analysis of digital devices and storage media. In Systematic Approaches to Digital Forensic Engineering, 2007. SADFE 2007. Second International Workshop, IEEE, 2007, 16–30.

Claar, J. F., Duvall, R. M., & Oliver, R.J. (2000). File system block sub-allocator, March 21 2000. US Patent 6,041,407.

European Committee for Standardisation (CEN). (2001). CWA 14169: Secure signature-creation v s EAL 4+ . CEN W kshop Agreement.

BSI (Bundesamt für Sicherheit in der Informationstechnik, Germany). (2011). (BSI). Leitfaden IT Forensik.

Garfinkel, S. L. (2006), Aff: A new format for storing hard drive images. Commun. ACM, 49(2):85–87.

Hasenstein, M. (2001). The logical volume manager (lvm). White paper, 2001.

Herbert, H. C., David W Grawrock, D. W., Ellison, C. M., Golliver, R.A., Lin, D. C., McKeen, F.X., Neiger, G., Reneris, K., Sutton, J. A., Shreekant S., Thakkar, S.S., et al. (2006). Platform and method for remote attestation of a platform, January 24 2006. US Patent 6,990,579.

Jonsson, J., & Kaliski, B. (2003). Public-key cryptography standards (pkcs)# 1: RSA cryptography specifications version 2.1. Technical report, RFC 3447.

Knaus J. P., & Foley, T. E. (2001). Electronic records & signatures: The federal e-sign act and michigan ueta place them on legal par with their paper and ink counterparts. Mich. BJ, 80, 39-40.

Knight (G. 2011). Forensic disk imaging report, Technical Report. JISC. (Unpublished)

Kuntze, N., Rudolph, C., Alva, A., Endicott-Popovsky, B., Christiansen, J., & Kemmerich, T. (2012). On the creation of reliable digital evidence. In G. Peterson and S. Shenoi, editors, Advances in Digital Forensics VIII. Springer, ISBN 978-3-642-33961-5.

Kunz, T., Okunick, S., & P s , U. (2008). D s u u s u y su b y’s yp g p algorithms (dssc)-long-term archive and notary services (ltans). Technical report, IETF Internet-Draft.

Maurer, U. (1996). Modelling a public-key infrastructure. In Computer Security-ESORICS, 96, 325-350. Springer.

NIST (2012), National Institute of Standards and Technology. Test Results for Digital Data Acquisition Tool: ASR Data SMART.

Patterson, D. A., Chen, P., Gibson, G., & Katz, R. H. (1989). Introduction to redundant arrays of inexpensive disks (raid). I COMPCON Sp g’89. 34th IEEE Computer Society International Conference: Intellectual Leverage, Digest of Papers., IEEE, 112–117.

Pinheiro, E., Weber, W.D., & Barroso, L. A. (2007). Failure trends in a large disk drive population. In Proceedings of the 5th USENIX conference on File and Storage Technologies, 2.

Raghavan, S. (2013). Digital forensic research: current state of the art. CSI Transactions on ICT, 1(1):91–114.

Saudi, M. M. (2001). An overview of disk imaging tool in computer forensics. SANS Institute.


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

(c) 2006-2015 Association of Digital Forensics, Security and Law